{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T15:20:36Z","timestamp":1777130436014,"version":"3.51.4"},"reference-count":26,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2019,2,11]],"date-time":"2019-02-11T00:00:00Z","timestamp":1549843200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>IoT botnets have been used to launch Distributed Denial-of-Service (DDoS) attacks affecting the Internet infrastructure. To protect the Internet from such threats and improve security mechanisms, it is critical to understand the botnets\u2019 intents and characterize their behavior. Current malware analysis solutions, when faced with IoT, present limitations in regard to the network access containment and network traffic manipulation. In this paper, we present an approach for handling the network traffic generated by the IoT malware in an analysis environment. The proposed solution can modify the traffic at the network layer based on the actions performed by the malware. In our study case, we investigated the Mirai and Bashlite botnet families, where it was possible to block attacks to other systems, identify attacks targets, and rewrite botnets commands sent by the botnet controller to the infected devices.<\/jats:p>","DOI":"10.3390\/s19030727","type":"journal-article","created":{"date-parts":[[2019,2,12]],"date-time":"2019-02-12T03:18:20Z","timestamp":1549941500000},"page":"727","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":68,"title":["Improving IoT Botnet Investigation Using an Adaptive Network Layer"],"prefix":"10.3390","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6847-8025","authenticated-orcid":false,"given":"Jo\u00e3o Marcelo","family":"Ceron","sequence":"first","affiliation":[{"name":"DACS, University of Twente, 7522 NB Enschede, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Klaus","family":"Steding-Jessen","sequence":"additional","affiliation":[{"name":"CERT.br, Brazilian National Computer Emergency Response Team, Brazil, S\u00e3o Paulo 05801-000, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Cristine","family":"Hoepers","sequence":"additional","affiliation":[{"name":"CERT.br, Brazilian National Computer Emergency Response Team, Brazil, S\u00e3o Paulo 05801-000, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8956-8660","authenticated-orcid":false,"given":"Lisandro Zambenedetti","family":"Granville","sequence":"additional","affiliation":[{"name":"UFRGS, Federal University of Rio Grande do Sul, Porto Alegre 91501-970, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4441-8778","authenticated-orcid":false,"given":"C\u00edntia Borges","family":"Margi","sequence":"additional","affiliation":[{"name":"USP, University of S\u00e3o Paulo, S\u00e3o Paulo 05508-010, Brazil"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,2,11]]},"reference":[{"key":"ref_1","unstructured":"Land, J. (2017). Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers, Carnegie Mellon University. CMU\/SEI-2017-SR-019."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Cozzi, E., Graziano, M., Fratantonio, Y., and Balzarotti, D. (2018, January 21\u201323). Understanding Linux Malware. Proceedings of the IEEE Symposium on Security & Privacy, San Francisco, CA, USA.","DOI":"10.1109\/SP.2018.00054"},{"key":"ref_3","unstructured":"Dyn, O. (2018, January 30). Dyn Statement on 10\/21\/2016 DDoS Attack. Available online: http:\/\/dyn.com\/blog\/dyn-statement-on-10212016-ddos-attack\/."},{"key":"ref_4","unstructured":"Krebs, B. (2018, January 30). KrebsOnSecurity Hit with Record DDoS. Available online: https:\/\/krebsonsecurity.com\/2016\/09\/krebsonsecurity-hit-with-record-ddos\/."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Santanna, J.J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L.Z., and Pras, A. (2015, January 11\u201315). Booters\u2014An analysis of DDoS-as-a-service attacks. Proceedings of the 2015 IFIP\/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada.","DOI":"10.1109\/INM.2015.7140298"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and Other Botnets","volume":"50","author":"Constantinos","year":"2017","journal-title":"Computer"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MC.2017.62","article-title":"Botnets and Internet of Things Security","volume":"50","author":"Bertino","year":"2017","journal-title":"Computer"},{"key":"ref_8","unstructured":"Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., and Kallitsis, M. (2017, January 16\u201318). Understanding the Mirai Botnet. Proceedings of the 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, Vancouver, BC, Canada."},{"key":"ref_9","unstructured":"Network Security Research Lab at 360 (2018, January 30). Botnets never Die, Satori REFUSES to Fade Away. Available online: http:\/\/blog.netlab.360.com\/botnets-never-die-satori-refuses-to-fade-away-en\/."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MPRV.2018.03367731","article-title":"N-BaIoT\u2014Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders","volume":"17","author":"Meidan","year":"2018","journal-title":"IEEE Pervasive Comput."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Prokofiev, A.O., Smirnova, Y.S., and Surov, V.A. (February, January 29). A method to detect Internet of Things botnets. Proceedings of the 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), Moscow, Russia.","DOI":"10.1109\/EIConRus.2018.8317041"},{"key":"ref_12","first-page":"1","article-title":"IoTPOT: Analysing the rise of IoT compromises","volume":"9","author":"Pa","year":"2015","journal-title":"EMU"},{"key":"ref_13","unstructured":"The OpenWrt Embedded Development Framework (2018, January 30). OpenWrt\u2014 Linux Operating System Targeting Embedded Devices. Available online: https:\/\/openwrt.org\/."},{"key":"ref_14","unstructured":"Indian Honeynet Project (2018, January 30). Detux\u2014The Linux Sandbox. Available online: https:\/\/github.com\/detuxsandbox\/detux."},{"key":"ref_15","unstructured":"Gamblin, J. (2018, January 30). The malware Mirai Source Code. Available online: https:\/\/github.com\/jgamblin\/Mirai-Source-Code\/."},{"key":"ref_16","unstructured":"US-CERT (2016). Heightened DDoS Threat Posed by Mirai and Other Botnets."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Ceron, J., Margi, C., and Granville, L. (2016, January 27\u201330). MARS: An SDN-Based Malware Analysis Solution. Proceedings of the ISCC 2016\u2014The Twenty First IEEE Symposium on Computers and Communications, Messina, Italy.","DOI":"10.1109\/ISCC.2016.7543792"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1016\/j.comnet.2017.10.003","article-title":"MARS: From traffic containment to network reconfiguration in malware-analysis systems","volume":"129","author":"Ceron","year":"2017","journal-title":"Comput. Netw."},{"key":"ref_19","unstructured":"Tellez, A. (2018, January 30). The Malware Bashlite Source Code. Available online: https:\/\/github.com\/anthonygtellez\/BASHLITE\/."},{"key":"ref_20","unstructured":"Dulaunoy, A., Wagener, G., Mokaddem, S., and Wagner, C. (June, January 29). An Extended Analysis of an IoT malware From a BLACKHOLE network. Proceedings of the Networking Conference TNC\u201917, Linz, Austria."},{"key":"ref_21","unstructured":"Van der Elzen, I., and van Heugten, J. (2017). Techniques for Detecting Compromised IoT Devices, University of Amsterdam. Technical Report."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Shalimov, A., Zuikov, D., Zimarina, D., Pashkov, V., and Smeliansky, R. (2013, January 24\u201325). Advanced study of SDN\/OpenFlow controllers. Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia, Moscow, Russia.","DOI":"10.1145\/2556610.2556621"},{"key":"ref_23","unstructured":"Foundation, L. (2018, January 30). OpenvSwitch\u2014Open Virtual Switch. Available online: http:\/\/openvswitch.org\/."},{"key":"ref_24","unstructured":"CERT.br (2018, January 30). honeyTARG\u2014Distributed Honeypots Project. Available online: http:\/\/honeytarg.cert.br\/honeypots\/."},{"key":"ref_25","unstructured":"Bellard, F. (2018, January 30). QEMU Open Source Processor Emulator. Available online: http:\/\/www.qemu.org\/."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Kreibich, C., Weaver, N., Kanich, C., Cui, W., and Paxson, V. (2011, January 2\u20134). GQ: practical containment for measuring modern malware systems. Proceedings of the 11th ACM SIGCOMM Internet Measurement Conference, IMC \u201911, Berlin, Germany.","DOI":"10.1145\/2068816.2068854"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/3\/727\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:31:06Z","timestamp":1760185866000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/3\/727"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,2,11]]},"references-count":26,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2019,2]]}},"alternative-id":["s19030727"],"URL":"https:\/\/doi.org\/10.3390\/s19030727","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,2,11]]}}}